Red Hat Bugzilla – Bug 869071
Password authentication for users from trusted domains does not work
Last modified: 2013-02-21 04:37:54 EST
Description of problem: I'm trying to setup an AD Trust and to allow AD users to log into IPA Clients. For the most part, I followed this: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust [root@rhel6-1 ~]# vi /etc/krb5.conf ... [realms] TESTRELM.COM = { ... auth_to_local = RULE:[1:$1@$0](^.*@ADTESTDOM.COM$)s/@ADTESTDOM.COM/@adtestdom.com/ auth_to_local = DEFAULT } [root@rhel6-1 ~]# vi /etc/sssd/sssd.conf ... [domain/ipa.lan] ... subdomains_provider = ipa ... [sssd] services = nss, pam, ssh, pac [root@rhel6-1 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users external map' adtestdom_domain_users_external --external --------------------------------------------- Added group "adtestdom_domain_users_external" --------------------------------------------- Group name: adtestdom_domain_users_external Description: adtestdom.com Domain users external map [root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users' adtestdom_domain_users ------------------------------------ Added group "adtestdom_domain_users" ------------------------------------ Group name: adtestdom_domain_users Description: adtestdom.com Domain users GID: 1277200028 Here I ran into a problem where wbinfo returned: [root@rhel6-1 ~]# wbinfo --online-status BUILTIN : online TESTRELM : online ADTESTDOM : offline AD2TESTDOM : offline [root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\Domain Users" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM\Domain Users After some troubleshooting and rebooting AD server, I found that the time was off on the AD server and saw this error in messages: Oct 22 17:43:05 rhel6-1 winbindd[12089]: kerberos_kinit_password TESTRELM@ADTESTDOM.COM failed: Ticket is ineligible for postdating Fixed time on AD server. I think that fixed it. wbinfo --online status still showed offline but, the rest seemed to work: [root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\Domain Users" S-1-5-21-1246088475-3077293710-2580964704-513 SID_DOM_GROUP (2) [root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users_external --external S-1-5-21-1246088475-3077293710-2580964704-513 [member user]: [member group]: Group name: adtestdom_domain_users_external Description: adtestdom.com Domain users external map External member: S-1-5-21-1246088475-3077293710-2580964704-513 ------------------------- Number of members added 1 ------------------------- [root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users --groups adtestdom_domain_users_external Group name: adtestdom_domain_users Description: adtestdom.com Domain users GID: 1277200028 Member groups: adtestdom_domain_users_external ------------------------- Number of members added 1 ------------------------- Tailing the logs during ssh in shows this: (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180 (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] ==> /var/log/secure <== Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=testuser1@adtestdom.com ==> /var/log/sssd/sssd_testrelm.com.log <== (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=testuser1] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_get_subdomain_account_info_send] (0x0040): Invalid sub-domain request type. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,User lookup failed (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): domain: adtestdom.com (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): user: testuser1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): service: sshd (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): ruser: (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): rhost: 192.168.122.1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok size: 9 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): cli_pid: 14064 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_auth] (0x0040): This operation is not allowed for subdomains! (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][adtestdom.com] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][adtestdom.com] ==> /var/log/secure <== Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=testuser1@adtestdom.com Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): received for user testuser1@adtestdom.com: 4 (System error) Oct 22 19:08:58 rhel6-1 sshd[14064]: Failed password for testuser1@adtestdom.com from 192.168.122.1 port 54362 ssh2 ==> /var/log/messages <== Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.293018, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.317630, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'samr' already registered on endpoint Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.318604, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint ==> /var/log/sssd/sssd_testrelm.com.log <== (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180 (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] Version-Release number of selected component (if applicable): How reproducible: unknown Steps to Reproduce: 1. Setup IPA server 2. Setup AD server 3. ipa-adtrust-install 4. ipa trust-add --type=ad adtestdom.com --admin Administrator --password 5. see above for following where this failed. Actual results: Expected results: Additional info:
Oh, and here's the version info: [root@rhel6-1 ~]# rpm -q ipa-server sssd samba4 ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64 sssd-1.9.90-0.20121019T0223zgit66318df.el6.x86_64 samba4-4.0.0-37.el6.rc3.x86_64
Upstream ticket: https://fedorahosted.org/sssd/ticket/1595
Created attachment 632246 [details] sssd_testrelm.com log during failed ssh with password attempt
Entries from /var/log/secure: Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com user=testuser1@adtestdom.com Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): system info: [Decrypt integrity check failed] Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com user=testuser1@adtestdom.com Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): received for user testuser1@adtestdom.com: 7 (Authentication failure) Oct 23 13:56:42 rhel6-1 sshd[31804]: Failed password for testuser1@adtestdom.com from 192.168.122.61 port 36843 ssh2 Oct 23 13:56:42 rhel6-1 sshd[31805]: Connection closed by 192.168.122.61 Entries from /var/log/messages: Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed Entries from /var/log/krb5kdc.log: Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: NEEDED_PREAUTH: testuser1@TESTRELM.COM for krbtgt/TESTRELM.COM@TESTRELM.COM, Additional pre-authentication required Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Oh, here's confirmation on the version too: [root@rhel6-1 tmp]# rpm -q sssd sssd-1.9.90-0.20121023.1813.git8662356.el6.x86_64
Can you add your sssd.conf as well?
(In reply to comment #8) > Can you add your sssd.conf as well? [root@rhel6-1 tmp]# cat /etc/sssd/sssd.conf [domain/default] cache_credentials = True [domain/testrelm.com] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa subdomains_provider = ipa ipa_hostname = rhel6-1.testrelm.com chpass_provider = ipa ipa_server = rhel6-1.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] debug_level = 10 services = nss, pam, ssh, pac config_file_version = 2 domains = testrelm.com [nss] [pam] [sudo] [autofs] [ssh] [pac]
Can you retry with a clean cache? service sssd stop rm -f /var/lib/sss/mc/* /var/lib/sss/db/* service sssd start
Ok, looks like it was a caching issue there: [root@rhel6-1 ~]# service sssd stop Stopping sssd: [ OK ] [root@rhel6-1 ~]# rm -f /var/lib/sss/mc/* /var/lib/sss/db/* [root@rhel6-1 ~]# > /var/log/sssd/sssd_testrelm.com.log [root@rhel6-1 ~]# service sssd start Starting sssd: [ OK ] [root@rhel6-1 ~]# ssh -l testuser1@adtestdom.com rhel6-1.testrelm.com testuser1@adtestdom.com@rhel6-1.testrelm.com's password: Last login: Tue Oct 23 23:08:55 2012 from 192.168.122.23 id: cannot find name for group ID 1232801127 -sh-4.1$ So, it looks like the test rpm worked.
Fixed upstream.
[root@rasalghul ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@rasalghul ~]# kdestroy [root@rasalghul ~]# getent passwd fuser@adlab.qe fuser@adlab.qe:*:1979001104:1979001104::/home/adlab.qe/fuser: [root@rasalghul ~]# ssh -l fuser@adlab.qe rasalghul.testrelm.com fuser@adlab.qe@rasalghul.testrelm.com's password: Last login: Wed Nov 7 14:13:10 2012 from rasalghul.testrelm.com -sh-4.1$ pwd /home/adlab.qe/fuser -sh-4.1$ whoami fuser@adlab.qe -sh-4.1$ id uid=1979001104(fuser@adlab.qe) gid=1979001104(fuser@adlab.qe) groups=1979001104(fuser@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout Connection to rasalghul.testrelm.com closed.
If I understand correctly, this one was found to be failing when the username (user@domain) is shorter than the IPA server domain name. So will still work in some cases. Expecting another fix from Dev for this asap. Will move this back to Assigned so it can be handled appropriately and doesn't get lost in the shuffle.
Ok, The issue prompting me to move back to assigned was determined to be a different issue and warranted a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=878262 I did confirm that when upn longer than IPA realm this still works. Moving this back to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html